Addressing Operational Risk by Using a Risk Based Internal Audit Approach: Benefits offered to Romanian Banking System

Transcription

1 Addressing Operational Risk by Using a Risk Based Internal Audit Approach: Benefits offered to Romanian Banking System TATIANA DANESCU ANCA MUNTEAN Faculty of Economics, Juridical and Administrative Sciences, Petru Maior University 1, Nicolae Iorga Street, , TG.Mures, ROMANIA tatiana_danescu@yahoo.com, oltean_anca2005@yahoo.com Abstract: - The adoption of the Basel II Accord by the National Bank of Romania starting with the year 2008 highlights important transformation regarding the banking system. A more sophisticated approach considering risks is to be developed under the guidance of the NBR emphasizing in the form of recent regulation the necessity for expanding internal risk based measures. Thus, creating a risk management framework, the traditional approach on audit focusing on financial areas, compliance wit laws and regulation has to be redefined in order for the aim of audit to be reached: value creation. We propose a procedural guidance on how to address problems regarding operational risk internal auditing by stressing particularities of banking organization working on Rumanian territory. Key-Words: - Risk Based Internal Audit, Internal Controls, Risk Assessment, Risk Management, Romanian Banking System 1 Introduction Operational risk has been defined by the Basel Committee on Banking and Supervision [1] as the risk of loss resulting from inadequate or failed internal procedures, people, systems or from external events. Extending this somewhat ambiguous definition a detailed loss event type classification was presented [2] which contains: internal fraud, external fraud, employment practices and workspace safety, clients products and business practices, damage to physical assets, business disruption and system failures, execution delivery and process management. The problem of addressing operational risks is of special interest for audit since they ingrain a strong internal component. In this sense such risks are specific to the factors and circumstances of each institution including: firms specific processes, culture, personnel, technology and have a strong dynamic in time changing along with business strategy, processes, technology and competition [3]. The role of internal audit is obvious since the aim of such an undertaking refers to providing an independent opinion about whether the objectives of one institution are achieved, and if not to define the circumstance that hinder from accomplishing them. In the context of value addition to the organization, there is increasing pressure for addressing exposure to risks, regulatory requirements for risk assessment and quantification play in these sense a great role. The shift from a traditional approach of internal audit is requested by current trends of corporate governance and risk management. Practices that include a tick and check approach used to perform compliance audits focusing mainly on branches need to be redefined and redirected to high risk areas (e.g. treasury, risk management) Risk Based Internal Audit (RBIA) focuses on risks being managed to acceptable levels since risks are defined in close correlation with the organizations objectives [4]. Moreover, internal control is a process, which manages risks, internal auditing provides an opinion about whether internal controls are managing risks to acceptable levels. Using this approach, the present paper offers a practical procedural guidance on how RBIA ISSN: ISBN:

2 could be developed for assisting the organization in an effective risk management and control over operational risks, taking in consideration some particularities of the Romanian banking system. 2 Problem Formulation Basel II Capital Adequacy Framework was initiated in 2001, providing a robust risk management view that rests on three pillars. The first pillar addresses the problem of well capitalized banks in the context of defining capital charges for specific risks: credit, market and operational. Offering a risk assessment approach, Basel II Accord makes commercial banks partners to regulators in computing individual capital adequacy, or, more precisely, minimum capital requirements under three solutions: the Basic Indicator Approach, the Standardized Approach and the Advanced Measurement Approach (AMA). Banks using the basic indicator approach solution must hold capital for operational risk reasons equal to a fixed percentage (α=15%) from the gross income averaged over a 3-year period. The standardized approach also uses gross income as a proxy of operational risk exposure. But contrary to the basic approach which looks indiscriminately at the whole institution s gross income as indicator of op. risk the latter approach differentiates between classes of operational risk exposure. Gross income - is divided among eight pre-determined business lines each of them having a different risk percentage (from 12%-18%). By summing up we obtain the capital charge. The advanced measurement approach is shaped by: the internal measurement approach (IMA), loss distribution (LD), and scoreboard. AMA features some prerequisites: one of the most important relates to the database requiring that data should go back at least 5 years, also a bank must have high technology that captures, filters, and reports operational risk information, nevertheless it is necessary to integrate external operational risk loss data for model testing and improved model usage. In this approach emphasize is put in creation of a flexible framework represented by developing internal ratings-based (IRB) methods which could lead to self-discipline in the capital reserves ratio. Internal ratings-based solutions enable banks to internally assess their own key risk drivers that will serve as primary inputs to their computation of capital requirements. For this reason it is believed that IRB solutions have much higher risk sensitivity, creating benefits for senior management and the bank as a whole. The second pillar refers to regulatory validation and supervision. The more freedom credit institution achieve by computing their capital requirements, the more regulators need to inspect the bank s procedures, systems and models used to establish capital adequacy. The third pillar encourages reliable financial disclosure in order to achieve market discipline. Disclosures specify credit, market and operational risks so that supervisors are required to implement at least a minimum set of disclosure requirements. Transparency in financial accounts is the milestone of market discipline As Chorafas [5] points out, the common ground of the three pillars is the credit institution s own internal control system. Open feedback channels and objective information reaching all levels of management are essential characteristics that support the notions that give essence to the three pillars framework. Moreover, because operational risks represent loss resulting from inadequate or failed internal processes and from external events, all three of the pillars encompass operational risks. Lessons learned from the American and European banking experience showed that managing these risks generates all sorts of challenges. Explanation is given on the one hand from the inaccurate perception about the nature of this risks and lack of appropriate understanding by senior management, on the other hand scarcity of resources, little regulatory guidance on specific key issues, few proven methodologies and tools are to be blamed [6]. Regarding the Romanian banking system, the National Bank of Romania (NBR) prefigured a four-step implementation strategy of Basel II principles, the actual application started with the year Connecting with the European Capital Requirements Directives the NBR emitted the 18/2009 Regulation which articulates ISSN: ISBN:

3 the importance given to the development of internal evaluation of capital requirements to risks. The timescale for total compliance is 30 June A great deal of significance is put on issues like: creating sound internal control systems, defining methodologies of risks assessment and quantification, providing independent, objective opinion about effectiveness of risk management and internal controls including regulatory compliance by the bank, advancing solid explanations in case of differences between results obtained by applying intern methodology vs. NBR requirements. The most recent statistics provided by the NBR considering this subject are dated [7]. The structure of Romanian banking system is as follows - total bank assets 76,8 billion EURO, which represents 65% of GBP derived from: Banks with majority domestic capital - 6 institutions Banks with majority foreign capital - 36 institutions Foreign bank branches 10 From the total of 42 banking institution, only 32 report the capital requirements to the NBR, the foreign bank branches having no obligation in this sense. Concerning operational risk 93,55 % of reporting banking institution have chosen the basic indicator approach whereas the rest of 6,45% adopted the standardized approach. None of the reporting institutions adopted the AMA. Moreover, regarding the structure of required capital, 11% is assessed from operational risks, 88% represents capital required in order to manage credit risk and 1% is allocated for managing market risk. The data evidence indicates poor capacities concerning future development of internal ratings-based methods considering the fact that only two credit institutions adopted an approach that is to be developed into a more sophisticated and risk sensitive tool for required capital sizing. Indeed these IRB methods come with a price but as Chorafas [8] pinpoints some credit institutions think of cutting corners in operational risk control studies, but others aptly suggest that in the longer run this will be counterproductive. Skipping the discovery and experimental phase, for example, will prove to be very costly later on. From another point of view capital allocation must not only account for identified major areas of risk but also reflect on business perspectives. Taking this context we must consider the function that is played by internal audit in supporting the achievement of objectives by evaluating and commenting on the effectiveness of risk assessment, internal control systems and corporate government processes. 3 Problem Solution In order to come up with a relevant answer on how to address operational risks from an IRB perspective, we have to reconsider the traditional approach on audit. As stated in the introduction, the objective of internal audit is to advise management with respect to the functioning of internal control systems, and to add value to the organization by preventing losses resulted from risk exposures. The role of an internal auditor is therefore to advice and to make recommendations. Regarding banking internal audit the traditional approach adopts the methodology of transaction testing; testing the accuracy and reliability of accounting records and financial reports; integrity, reliability and timeliness of control reports and adherence to legal and regulatory requirements [9]. For a better understanding of the new scope of audit we can begin by looking at internal control systems. ICS are detective and preventive processes the firm has in place to reduce the frequency or the severity of operational risk losses or to eliminate altogether the chance of operational risk events. Controls operate by reducing the risk exposures created by the business environment, in the way of detecting causes, preventing specific individual risks from arising and by mitigating their effects when they do arise. They can be specific e.g.: the confirmation process after a trade or the due diligence before a new hire, or general e.g. a risk and control self-assessment process used to detect and assess risks. Risk Based Internal Audit is driven by risks and reports whether these are managed, the focus being on managing the future. RBIA is targeted on on: ISSN: ISBN:

4 1. risk identification 2. prioritization of audit area 3. allocation of audit resources in accordance with risk assessment. Detailing the 18/2009 Regulation [10] we can highlight a risk management framework consistent with risk approach to audit. Following this approach, NBR included important elements such as: 1. management structure has to identify and evaluate risk using methods, procedures, instruments that account for classify negative factors that hinder achievement of objectives; 2. risk evaluation has to include identification of controllable and uncontrollable events. For controllable risk the banking institution has to define control systems that are to reduce risk impact according to the profile risk of the bank. Uncontrollable risks are either accepted, eliminated, or reduced; 3. internal audit function has to adapt a risk identification methodology and also it has to be provided with sufficient resources; 4. contingency plans are to be developed considering plausible scenarios to which the institution can be exposed according to the dimension and complexion of activity. Creating a risk management framework seems to be an effort that the Romanian supervisor is willing to undertake at regulation level, internal audit can only provide assurance that this framework is in place. The concept of risk has the central place in everything discussed above. Risk is a measure of probability and severity of unwanted effects, or, more specific it s a metric that provides insight to the operational risk impact. There are two dimensions to every risk: the event s probability (high/low frequency) the event s potential size of loss (high/low impact). From this perspective an effective RBIA implies a risk approach by the organization that address issues like: depicting all significant inherent risk; evaluating the risks and creating priorities regarding the threat they represent; defining risk appetite so that inherent and residual risk can be evaluated to determine whether these are above or below it. Inherent risk represents frequency and loss determined by one risk before any internal controls are taken into account whereas residual risks embed the effects of internal control systems. The difference between inherent risk and risk appetite is the control score that measures efficiency of control systems. We can consider this risk approach as a prerequisite in order for implementation of an RBIA. Furthermore a three stages plan can be imagined that will embody: 1. assessment of risk maturity of the organization; 2. assigning risks to an audit that will examine their management. Also set up a Risk and Audit Universe and draw a Audit plan; 3. Carrying out individual risk based audits and feed-back the audits into the Risk Audit Universe; 3.1 Assessing Risk Maturity The bank risk maturity is taken as the starting point. Scoring and sorting risk with the aim of creating a database a risk register is the first step to take into consideration. The assessment of risk appetite concerning operational risks is provided by management and from the evaluation of this register the internal auditor can conclude the risk maturity of the bank. The risk register will provide information needed for creation of the audit plan. Following the IIA U.K and Ireland Positions (2003) organization risk maturity can take the contour of: Risk enabled: Risk management and internal controls are fully embedded into the operations. Risk management and monitoring controls are sophisticated, a complete risk register is provided. The emphasize of the audit work regards proper processes development. Risk managed: Enterprise wide approach to risk management are developed and communicated, nevertheless weaknesses are found and are to be reedited. Risk defined: Risk appetite defined. Strategies and policies are in place and communicated. Internal audit will act as a consultant to facilitate the construction of a complete risk register. Individual audit must emphasize on understanding risk maturity in the area being audited, great importance is put on identification ISSN: ISBN:

5 of risk, also consultancy may be needed where weaknesses are found. Risk aware: no risk register is available, only few managers will have determined their risk. Internal audit will act as a consultant to undertake risk assessment, and to determine the work required to implement a risk framework. Risk naïve: Internal audit will promote or will provide consultation on establishing a risk management framework. 3.2 Production of an Audit Plan The risk and audit universe is an extension of the management s risk register. This will consist of: risks identified by management and scores attached to them; processes and objectives that this risks threaten; identification of the owner of the risk- the person responsible with risk management; the audit that provides an opinion about the management of each risk, details of the last and next audits, details of controls and managing the risk. An important step is the allocation of risk to audits which will determine the scope of individual audit. Audit is allocated by category of risk identified and by the response of the organization to risk. Possible responses given by the organization to risk can be: to tolerate- if there is no possibility of cost efficient risk reduction: in this case the need of contingency plan should be considered; to transfer- outsourcing most of the cost of impact; to terminate- remove circumstance giving rise to risk; to treat- implement a system of internal control that can reduce risk below risk appetite. After achieving an image about risks, scores, audit linked to them, the approach that is used should be considered. The audit can either provide assurance or it can offer consultancy. Assurance will be adopted if control score is high confirming that risks are properly managed. The consultancy approach is recommended if control scores are low, audit will facilitate management s identification, assessment, managing and monitoring of operational risk. Before publishing the audit plan, resource allocation is necessary, it is required to estimate a total number of days per audit and also human resources are to be assigned. The planning phase can be divided into following: 1. divide banking operations into operational risk auditable entities/activities (e.g. divisions, branches, risk related projects, activities); 2. identification of key risk factors: (e.g. failed transactions, errors and omissions, fluctuation of personnel, activity growth, fraud cases detected, product development and new operation, adequacy of security measures, major changes in operations, programs, systems and control, deviations from approved budget, etc.) that are to be expressed quantitatively, qualitatively or in combination; 3. assignment of a risk rating to each auditable entity/activity (e.g. high/medium/low); 4. decision about which audit to perform considering management request. 3.3 The individual assurance audit In this step the principle of guidance is that for each risk covered, the audit should give reasonable assurance that [11]: management has identified, assessed and responded to risks above the risk appetite; internal controls are effective in reducing the inherent risks to below the risk appetite; reduction of residual risks within the risk appetite, or the board has been informed that they will be tolerated, transferred or terminated; monitoring processes by management to ensure they continue to operate effectively; Following the types of risk maturity emphasize on auditing should be: for risk managed and risk enabled management processes e.g. resources, documentation, methods and reporting; for risk defined risk identification, are controls operating? risk naïve and risk aware management involvement in risk assignment. 4 Conclusions Looking at the most recent statistics Romanian banking system operates with a rough measurement of operational risk, since it is not ISSN: ISBN:

6 based on any loss data specific to the institution. Advancing from the standardized approach to the internal measurements method will provide greater accuracy by ensuring sensitivity to measurements. But in order to achieve that, internal risk based methods are to be developed. We proposed a procedural guidance about how RBIA could be developed in the purpose of adding value to the bank activity supporting the NBR view in creating efficient risk management. Two of the most important factors to be taken into consideration about the current state are: 1. Considering gross income as a proxy indicator for operational risk presents at least a major inconvenient that is to be stated: the more money one entity makes the more it is taxed in terms of operational risk capital reserves even if the level of operational risk profiling the business is low. In this sense this op. risk measurement is better fitted for small, unsophisticated banks. An advanced method will select more indicators providing accurate operational risk description. 2. Regulations provided by the supervisor authority reflect a high tendency regarding the implementation of a risk management framework. Having this as one of the most favorable premises, RBIA presents some of the following advantages: management has to face up to their responsibility to risk and to become more involved, resources are justified by the proportion of risks that are to be audited, efficiency is assured by directing audits to high risk area whereas financial area may not always represent great risks, recommendation are to be used in risk mitigation resulting surplus value. RBIA involves the whole organization, it is less introspective by contributing to objective performance. study in operational risk management, Dissertation, 2005, available at tions/diss_adusei-poku.pdf. [4]Griffiths, David, M. Risk Based Internal Audit An introduction, 2006, pp.5-9, available at [5]Chorafas, Dimitris, Economic Capital Allocation with Basel II, Elsevier Publishers, 2004, pp.6-7; [6] KPMG Report 2008, available at Managing_Operational_Risk.pdf [7] Georgescu Florin, Sistemul bancar în România- prezent şi perspective, Presentation at Finmedia Conferences, 2009 [8]Chorafas Dimitris, Operational Risk with Basel II, Elsevier Publishers, 2003, pp [9]Sharma, G. V., Risk Based Internal Audit in Banks, Chartered Accountant, 2004, pp [10] National Bank of Romania, 18/2009 Regulation, available at: [11] The Institute of Internal Auditors. Risk Based Internal Auditing, Position Statement, 2003, pp.1-4 available at [12]Griffiths, David, M. Risk Based Internal Audit Three Views of Implementation, 2006, pp , Available at References: [1]Basel Committee on Banking Supervision, Operational Risk Supporting Document for the New Basel II Approach (2001) pp.2; [2]Basel Committee on Banking Supervision International Convergence of Capital Measurement and Capital Standards A Revised Framework (2004), Annex 7; [3]Adusei-Poku, Implementing a Bayesian network for foreign exchange settlement: a case ISSN: ISBN: